Bug#798893: marked as done (jessie-pu: package php-dropbox/1.0.0-3+deb8u1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798893,
regarding jessie-pu: package php-dropbox/1.0.0-3+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
798893: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798893
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: jessie-pu: package php-dropbox/1.0.0-3+deb8u1
• From: David Prévot <taffit@debian.org>
• Date: Sun, 13 Sep 2015 16:37:19 -0400
• Message-id: <55F5DE7F.4000905@debian.org>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

As already discussed with the security team, please accept the fix for
CVE-2015-4715 in php-dropbox. Source debdiff attached.

As noted in the ownCloud tracker, the issue is only relevant if a server
runs PHP below 5.6.0, or if some default has been changed. Yet, since
the owncloud (and php-dropbox) packages from Jessie can be used (and I
know they are actually used) out of the box on Wheezy, having the fix in
the next point release makes sense.

1: https://owncloud.org/security/advisory/?id=oc-sa-2015-005

Regards

David

diff --git a/debian/changelog b/debian/changelog
index aa86e22..c643681 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-dropbox (1.0.0-3+deb8u1) jessie; urgency=medium
+
+  * Refuse to handle any files containing a @ [CVE-2015-4715]
+  * Track Jessie
+
+ -- David Prévot <taffit@debian.org>  Sat, 05 Sep 2015 14:19:37 -0400
+
 php-dropbox (1.0.0-3) unstable; urgency=medium
 
   * Include ownCloud specific patches
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch b/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch
new file mode 100644
index 0000000..acd912b
--- /dev/null
+++ b/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch
@@ -0,0 +1,30 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Tue, 7 Apr 2015 15:12:10 +0200
+Subject: Revert custom patch that can cause problems
+
+Origin: upstream, https://github.com/owncloud/core/commit/7071cf15c25be4a0e4178019c625c57b898e4216
+---
+ Dropbox-1.0.0/Dropbox/OAuth/Curl.php | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/Dropbox-1.0.0/Dropbox/OAuth/Curl.php b/Dropbox-1.0.0/Dropbox/OAuth/Curl.php
+index 6ea6873..9aa6852 100644
+--- a/Dropbox-1.0.0/Dropbox/OAuth/Curl.php
++++ b/Dropbox-1.0.0/Dropbox/OAuth/Curl.php
+@@ -72,8 +72,14 @@ class Dropbox_OAuth_Curl extends Dropbox_OAuth {
+ 		if (strtoupper($method) == 'POST') {
+ 			curl_setopt($ch, CURLOPT_URL, $uri);
+ 			curl_setopt($ch, CURLOPT_POST, true);
+-// 			if (is_array($arguments))
+-// 				$arguments=http_build_query($arguments);
++
++ 			//if (is_array($arguments))
++ 			//	$arguments=http_build_query($arguments);
++ 			foreach ($arguments as $key => $value) {
++ 				if($value[0] === '@') {
++					exit();
++				}
++			}
+ 			curl_setopt($ch, CURLOPT_POSTFIELDS, $arguments);
+ // 			$httpHeaders['Content-Length']=strlen($arguments);
+ 		} else {
diff --git a/debian/patches/series b/debian/patches/series
index 5c66984..a104f36 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Include-ownCloud-specific-patches.patch
+0002-Revert-custom-patch-that-can-cause-problems.patch

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

• To: 783355-done@bugs.debian.org, 784944-done@bugs.debian.org, 787021-done@bugs.debian.org, 787423-done@bugs.debian.org, 791403-done@bugs.debian.org, 792468-done@bugs.debian.org, 792806-done@bugs.debian.org, 793556-done@bugs.debian.org, 794940-done@bugs.debian.org, 796281-done@bugs.debian.org, 797170-done@bugs.debian.org, 797710-done@bugs.debian.org, 798028-done@bugs.debian.org, 798584-done@bugs.debian.org, 798749-done@bugs.debian.org, 798889-done@bugs.debian.org, 798890-done@bugs.debian.org, 798891-done@bugs.debian.org, 798892-done@bugs.debian.org, 798893-done@bugs.debian.org, 798895-done@bugs.debian.org, 799033-done@bugs.debian.org, 799070-done@bugs.debian.org, 799229-done@bugs.debian.org, 799230-done@bugs.debian.org, 799369-done@bugs.debian.org, 799477-done@bugs.debian.org, 799758-done@bugs.debian.org, 799777-done@bugs.debian.org, 800006-done@bugs.debian.org, 800664-done@bugs.debian.org, 800793-done@bugs.debian.org, 800881-done@bugs.debian.org, 801095-done@bugs.debian.org, 801098-done@bugs.debian.org, 801100-done@bugs.debian.org, 801304-done@bugs.debian.org, 801318-done@bugs.debian.org, 801441-done@bugs.debian.org, 801580-done@bugs.debian.org, 801743-done@bugs.debian.org, 801851-done@bugs.debian.org, 801892-done@bugs.debian.org, 802851-done@bugs.debian.org, 802879-done@bugs.debian.org, 802900-done@bugs.debian.org, 802942-done@bugs.debian.org, 803362-done@bugs.debian.org, 803467-done@bugs.debian.org, 803490-done@bugs.debian.org, 803569-done@bugs.debian.org, 803678-done@bugs.debian.org, 803730-done@bugs.debian.org, 804157-done@bugs.debian.org, 804172-done@bugs.debian.org, 804208-done@bugs.debian.org, 804381-done@bugs.debian.org, 804383-done@bugs.debian.org, 804734-done@bugs.debian.org, 804885-done@bugs.debian.org, 805024-done@bugs.debian.org, 805127-done@bugs.debian.org, 805190-done@bugs.debian.org, 805214-done@bugs.debian.org, 805260-done@bugs.debian.org, 805293-done@bugs.debian.org, 805383-done@bugs.debian.org, 805634-done@bugs.debian.org, 805721-done@bugs.debian.org, 805894-done@bugs.debian.org, 806129-done@bugs.debian.org, 806165-done@bugs.debian.org, 806247-done@bugs.debian.org, 806252-done@bugs.debian.org, 806338-done@bugs.debian.org, 806529-done@bugs.debian.org, 806640-done@bugs.debian.org, 807129-done@bugs.debian.org, 807140-done@bugs.debian.org, 807142-done@bugs.debian.org, 807273-done@bugs.debian.org, 807280-done@bugs.debian.org, 807467-done@bugs.debian.org, 807489-done@bugs.debian.org, 807515-done@bugs.debian.org, 807576-done@bugs.debian.org, 807612-done@bugs.debian.org, 807828-done@bugs.debian.org, 807917-done@bugs.debian.org, 808559-done@bugs.debian.org, 808890-done@bugs.debian.org, 809200-done@bugs.debian.org, 809255-done@bugs.debian.org, 809258-done@bugs.debian.org, 809307-done@bugs.debian.org, 809534-done@bugs.debian.org, 809561-done@bugs.debian.org, 809688-done@bugs.debian.org, 809757-done@bugs.debian.org, 809824-done@bugs.debian.org, 810004-done@bugs.debian.org, 810111-done@bugs.debian.org, 810130-done@bugs.debian.org, 810542-done@bugs.debian.org, 810760-done@bugs.debian.org, 810887-done@bugs.debian.org, 811132-done@bugs.debian.org, 811320-done@bugs.debian.org, 792779-done@bugs.debian.org
• Subject: 8.3 point release cleanup
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 23 Jan 2016 13:57:15 +0000
• Message-id: <1453557435.1835.52.camel@adam-barratt.org.uk>

Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam

--- End Message ---